Hi,
I am planning to write a shadow filter driver, that will monitor the changes in the filesystem and will undo the changes in the filesystem after a reboot. I have seen many commercial products that do this, so i think this project is doable 
My filter driver is legacy driver ( not minifilter ) and i have succesfully used the trick described in OSR FAQ to prevent re-entrancy in driver caused by using ZwCreate functions while processing IRP_MJ_CREATE.
My initial plan was to copy the files during IRP_MJ_CREATE to a temp folder and the redirect the IRP to the temp file by using file reparse technique. This way, original files will not be modified in any ways.
But i think my whole idea was a bit amateurish. Consider the performance penalty while copying a 600mb iso image. So there must be some more efficient way of doing this. Probably monitoring all the SET and WRITE Irps ?
I think nothing is as simple as it seems to be. So before proceeding further, i think its time to ask the experts.
Can some please provide me some overview of how to create a shadow filter driver ?
Thanks.
Gautam
Why do you want a filesystem filter for this and not a disk filter ? It must
be very complicated to keep track of file system changes compared to changes
to disk sectors. Have you also considered using the system restore functon
in Windows?
/Daniel
wrote in message news:xxxxx@ntfsd…
> Hi,
>
> I am planning to write a shadow filter driver, that will monitor the
> changes in the filesystem and will undo the changes in the filesystem
> after a reboot. I have seen many commercial products that do this, so i
> think this project is doable
>
> My filter driver is legacy driver ( not minifilter ) and i have
> succesfully used the trick described in OSR FAQ to prevent re-entrancy in
> driver caused by using ZwCreate functions while processing IRP_MJ_CREATE.
>
> My initial plan was to copy the files during IRP_MJ_CREATE to a temp
> folder and the redirect the IRP to the temp file by using file reparse
> technique. This way, original files will not be modified in any ways.
>
> But i think my whole idea was a bit amateurish. Consider the performance
> penalty while copying a 600mb iso image. So there must be some more
> efficient way of doing this. Probably monitoring all the SET and WRITE
> Irps ?
>
> I think nothing is as simple as it seems to be. So before proceeding
> further, i think its time to ask the experts.
>
> Can some please provide me some overview of how to create a shadow filter
> driver ?
>
> Thanks.
>
> Gautam
>
Hi,
gmgc> But i think my whole idea was a bit amateurish. Consider the
gmgc> performance penalty while copying a 600mb iso image. So there must
gmgc> be some more efficient way of doing this. Probably monitoring all
gmgc> the SET and WRITE Irps ?
all "shadow protect" filters I know operate at the file system cluster
level using the copy-on-write concept and use unallocated space in the
file system for caching.
Ralf.
> to disk sectors. Have you also considered using the system restore functon
in Windows?
System Restore is file-based, not block-based.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi,
It seems that for writing creating snapshots, file based filtering is the right way to go. However, for creating shadow filter drivers, it seems that sector based disk upper filter is the way to go, because i plan to discard the changes made to filesystem after a reboot.
Since i am relatively unaware of disk upper filter drivers, i decided to take a look into sample provided with ddk before asking any further questions.
I am still confused about redirecting IO requests in read/write dispatch routines. How do i redirect the requests ? How can i make sure that there is some space allocated for writing the changes ? Do i have to preallocate space using a file ? How do i discard the changes after a reboot ? Any pitfalls to avoid ?
I dont expect a detailed explaination, but a brief overview will be really helpfull.
Thanks.
Gautam
Yes you need to think well where and how to store temporarily changes to the
disk. You will need also some clever mechanism such as a hash table to
quickly find out whether a block which is being read has been (possibly)
changed so it is (maybe) available in your cache. Your filter will complete
write IRPs, read IRPs are completed by your filter only if they are
available in your temporary cache otherwise they are passed on. I think you
will need a very clever design and lots of testing to make this perform
well. Checkout the diskperf sample as an example of a disk filter, the KMDF
does not have such a sample.
/Daniel
wrote in message news:xxxxx@ntfsd…
> Hi,
>
> It seems that for writing creating snapshots, file based filtering is the
> right way to go. However, for creating shadow filter drivers, it seems
> that sector based disk upper filter is the way to go, because i plan to
> discard the changes made to filesystem after a reboot.
>
> Since i am relatively unaware of disk upper filter drivers, i decided to
> take a look into sample provided with ddk before asking any further
> questions.
>
> I am still confused about redirecting IO requests in read/write dispatch
> routines. How do i redirect the requests ? How can i make sure that there
> is some space allocated for writing the changes ? Do i have to preallocate
> space using a file ? How do i discard the changes after a reboot ? Any
> pitfalls to avoid ?
>
> I dont expect a detailed explaination, but a brief overview will be really
> helpfull.
>
> Thanks.
>
> Gautam
>